Strange problem with applying securityContext.appArmorProfile.type on pod/container level

Hi folks! I stumbled upon strange problem with applying securityContext.appArmorProfile.type on pod/container level, either when creating pod directly, or by Deployment/Daemonset/Statefullset.

When i’m applying manifest

apiVersion: v1
kind: Pod
metadata:
  name: hello-apparmor
#  annotations:
#    container.apparmor.security.beta.kubernetes.io/hello: unconfined
spec:
  securityContext:
    appArmorProfile:
      type: Unconfined
  containers:
  - name: hello
    image: busybox:1.28
    command: [ "sh", "-c", "echo 'Hello AppArmor!' && sleep 1h" ]
    securityContext:
      appArmorProfile:
        type: Unconfined

the pod created have

spec:
  containers:
    - name: hello
      securityContext: {}
  securityContext: {}

but when the manifest have

metadata:
  name: hello-apparmor
  annotations:
    container.apparmor.security.beta.kubernetes.io/hello: unconfined

the pod created have

spec:
  containers:
    - name: hello
      securityContext:
        appArmorProfile:
          type: Unconfined
  securityContext: {}

What i’ve double checked

  • there’s no interfering validating/mutating webhooks
  • no Pod Security Standard explicitly applied on the target namespace

Moreover, i have ± similar cluster, with the same set of software and same versions, which works like a champ.

Please dear colleagues, would be very grateful fresh ideas / troubleshooting scenarios / insights.

Br, Alexey

Cluster information:

Kubernetes version: v1.32.5+rke2r1
Cloud being used: bare-metal
Installation method: rke2
Host OS: Ubuntu 24.04.1 LTS
CNI and version: cilium v1.17.4
CRI and version: containerd v2.0.5-k3s1